b"September 2008\nReport No. AUD-08-019\n\n\nReliability of Supervisory Information\nAccessed Through the Virtual\nSupervisory Information on the Net\n(ViSION) System\n\n\n\n\n            AUDIT REPORT\n\x0c                                           Report No. AUD-08-019                                                              September 2008\n\n                                           Reliability of Supervisory Information Accessed\n                                           Through the Virtual Supervisory Information on\n   Federal Deposit Insurance Corporation\n                                           the Net (ViSION) System\n Why We Did The Audit\n                                           Audit Results\n ViSION is a mission-critical FDIC\n system that provides access to a          Supervisory information accessed through the ViSION system was not fully reliable in each of the\n broad range of information related to     four areas that we assessed. The table below summarizes the results of our assessment of key\n insured financial institutions in         supervisory information accessed through the ViSION system for each of the 75 financial\n support of the Corporation\xe2\x80\x99s              institutions we sampled.\n insurance and supervision programs.\n The system serves approximately           Reliability of Key Supervisory Information for 75 Institutions\n 3,900 FDIC and outside agency users                                    Financial\n                                                 Institution                                                 Safety and          ROE\n (primarily other federal and state                                    Institution        BSA\n                                              Information as of                                              Soundness         Processing\n regulatory agencies). The objective                                  Examination      Examinations\n                                                May 28, 2008                                                   ROEs              Dates\n of the audit was to assess the                                          Ratings\n reliability of key supervisory                    Reliable                73                 73                 42                65\n information accessed through the\n ViSION system.                                   Unreliable                2                 2                  33                10\n\n Background                                   Total Institutions            75                75                 75                75\n Key supervisory information               Source: Analysis of information in the ViSION system, hard copy ROEs, and discussions with DSC\n accessed through the ViSION system        officials.\n includes: (1) examination ratings\n used to evaluate the safety and           Unreliable information pertaining to examination ratings, BSA violations, and ROE processing\n soundness of financial institutions;      dates resulted principally from erroneous data entry. Unreliable information pertaining to ROEs\n (2) Bank Secrecy Act (BSA)                resulted principally from state regulatory agencies not submitting electronic ROEs to the FDIC\n examination information reported to       and insufficient controls over the collection, processing, and storage of ROEs. Unreliable\n the Department of the Treasury;           information accessed through the ViSION system can limit the efficiencies that the FDIC\n (3) safety and soundness Reports of       intended to achieve through automation such as accurate, timely, and consistent data used for off-\n Examination (ROE) provided to             site monitoring of financial institutions. In addition, because ROE processing dates are used in\n financial institutions; and (4) ROE       determining deposit insurance assessments, the reliability of those dates is critical to ensuring the\n processing dates used to monitor          integrity of premiums charged to insured financial institutions. Unreliable ROE processing dates\n examination frequency and determine       resulted in 1 of 75 sampled institutions being significantly undercharged ($3,050, or about 10\n deposit insurance assessments for         percent) on one of its quarterly deposit insurance assessments.\n financial institutions. The FDIC\xe2\x80\x99s\n Division of Supervision and               DSC has taken steps to promote the reliability of information accessed through the ViSION\n Consumer Protection (DSC) is              system. For example, DSC periodically reviews the integrity of selected information accessible\n responsible for ensuring the              through the ViSION system as part of the division\xe2\x80\x99s internal reviews. DSC also identified\n reliability of supervisory information    concerns regarding the reliability of ROE information prior to our audit and was working to\n in each of these four areas.              improve its processes and technology for collecting, processing, and storing electronic ROEs.\n                                           However, DSC had not performed an assessment of supervisory information accessed through the\n We reviewed a sample of 75 of the         ViSION system to determine an acceptable information accuracy rate. Establishing an\n 5,075 financial institutions for which    information accuracy rate is important for ensuring cost-beneficial controls over the reliability of\n the FDIC was the primary federal          information accessed through the ViSION system.\n regulator as of April 3, 2008. For\n each of the 75 institutions, we\n verified supervisory information\n                                           Recommendation and Management Response\n accessed through the ViSION system        We recommended that the Director, DSC, conduct an assessment of key supervisory information\n to source documentation, such as          accessed through the ViSION system in order to define an acceptable accuracy rate and identify\n hard copy ROEs. We considered the         respective controls and responsibilities over the reliability of supervisory information consistent\n information we assessed to be\n                                           with the results of the assessment.\n reliable if it was accurate and\n complete as described in the\n Government Accountability Office\xe2\x80\x99s        DSC concurred with our recommendation and has planned to take responsive actions.\n publication Assessing the Reliability\n of Computer-Processed Data.\n\n\nTo view the full report, go to www.fdicig.gov/2008reports.asp\n\x0cContents                                                            Page\n\n\nBACKGROUND                                                            1\n  Key Supervisory Information Accessed Through the ViSION System      2\n  Assessing the Reliability of Key Supervisory Information            4\n\nRESULTS OF AUDIT                                                      4\n\nASSESSMENT OF KEY SUPERVISORY INFORMATION ACCESSED                    4\nTHROUGH THE VISION SYSTEM\n  Examination Ratings                                                 5\n  BSA Examinations                                                    5\n  Safety and Soundness ROEs                                           6\n  ROE Processing Dates                                                7\n  Strengthening the Reliability of Key Supervisory Information        7\n  Recommendation Related to ViSION System Information Reliability     8\n\nCORPORATION COMMENTS AND OIG EVALUATION                               8\n\nAPPENDICES\n  1. OBJECTIVE, SCOPE, AND METHODOLOGY                               10\n  2. ROLE OF EXAMINATION MAIL DATES IN CALCULATING                   14\n     DEPOSIT INSURANCE ASSESSMENTS\n  3. CORPORATION COMMENTS                                            16\n  4. MANAGEMENT RESPONSE TO THE RECOMMENDATION                       17\n  5. ACRONYMS USED IN THE REPORT                                     18\n\nTABLES\n  1. Reliability of Key Supervisory Information for 75 Sampled        5\n     Institutions\n  2. Unreliable Examination Mail Dates in the ViSION System          15\n  3. Effects of Unreliable Examination Mail Dates on Insurance       15\n     Assessments\n\x0c    Federal Deposit Insurance Corporation                                                              Office of Audits\n    3501 Fairfax Drive, Arlington, VA 22226                                               Office of Inspector General\n\n\n    DATE:                                     September 25, 2008\n\n    MEMORANDUM TO:                            Sandra L. Thompson, Director\n                                              Division of Supervision and Consumer Protection\n\n                                              /Signed/\n    FROM:                                     Russell A. Rau\n                                              Assistant Inspector General for Audits\n\n    SUBJECT:                                  Reliability of Supervisory Information Accessed Through\n                                              the Virtual Supervisory Information on the Net (ViSION)\n                                              System (Report No. AUD-08-019)\n\n\n    This report presents the results of our audit of the reliability of supervisory information\n    accessed through the ViSION system. ViSION is a mission-critical FDIC system 1 that\n    provides access to a broad range of information related to insured financial institutions in\n    support of the Corporation\xe2\x80\x99s insurance and supervision programs. The objective of the\n    audit was to assess the reliability of key supervisory information accessed through the\n    ViSION system. We conducted this performance audit in accordance with generally\n    accepted government auditing standards. Appendix 1 of this report discusses our audit\n    objective, scope, and methodology in detail.\n\n\nBACKGROUND\n\n    The ViSION system is one of the most widely-used Web-based systems at the FDIC.\n    During the first 6 months of 2008, the system recorded approximately 5.7 million pages\n    viewed and served about 3,900 FDIC and outside agency users (primarily other federal\n    and state regulatory agencies). The ViSION system\xe2\x80\x99s primary users within the FDIC are\n    executives, regional managers, case managers, review examiners, and field examiners in\n    the Division of Supervision and Consumer Protection (DSC). DSC personnel use the\n    system to perform supervisory-related functions, such as tracking applications, accessing\n    examination information, and monitoring enforcement actions. Analysts in the Division\n    of Insurance and Research (DIR) also rely on information in the ViSION system to\n    perform insurance-related functions, such as analyzing trends in the banking industry and\n    calculating deposit insurance assessment rates for financial institutions.\n\n\n\n\n    1\n     FDIC Circular 1360.13, Information Technology Contingency Planning, dated June 30, 2008, defines a\n    mission-critical system as any information technology (IT) application, resource, or service that is deemed\n    essential to the mission or business of the FDIC. Mission-critical systems require special attention to\n    security due to their high need for availability.\n\x0cKey Supervisory Information Accessed Through the ViSION System\n\n      Key supervisory information accessed through the ViSION system includes:\n      (1) financial institution examination ratings (examination ratings); (2) Bank Secrecy Act\n      (BSA) of 1970 examination information (BSA examinations) reported to the Department\n      of the Treasury; (3) safety and soundness Reports of Examination (ROE); and (4) ROE\n      processing dates used to monitor examination frequency and determine deposit insurance\n      assessments for financial institutions. Our audit focused on assessing the reliability of\n      information in these four areas because of their criticality to the success of the FDIC\xe2\x80\x99s\n      insurance and supervision programs. A brief description of each area follows.\n\n          \xe2\x80\xa2   Examination Ratings. Pursuant to the Uniform Financial Institutions Rating\n              System, federal and state regulatory agencies assign examination ratings to\n              financial institutions based on the results of safety and soundness examinations\n              and other supervisory activities. Examination ratings consist of a composite\n              rating reflecting the institution\xe2\x80\x99s overall financial condition and operations and six\n              component ratings pertaining to the institution\xe2\x80\x99s capital, assets, management,\n              earnings, liquidity, and sensitivity to market risk (collectively referred to as\n              CAMELS ratings). 2 DSC personnel manually enter composite and component\n              ratings for all FDIC-insured financial institutions into the ViSION system, which\n              is the Corporation\xe2\x80\x99s system of record for examination ratings. The reliability of\n              examination ratings is critical because they are used by the FDIC and other\n              regulatory agencies to focus supervisory attention on institutions experiencing\n              financial and operational weaknesses and to monitor safety and soundness trends\n              throughout the financial industry. Examination ratings are also used in\n              calculating deposit insurance assessments charged to financial institutions.\n\n          \xe2\x80\xa2   BSA Examinations. Congress enacted BSA to prevent banks and other financial\n              service providers from being used as intermediaries for, or to hide the transfer or\n              deposit of, money derived from criminal activity. BSA requires financial\n              institutions to assist government agencies in this regard by maintaining\n              appropriate records and filing certain reports that can be used in criminal, tax, or\n              regulatory investigations or proceedings. Under the Act, the FDIC is authorized\n              to examine financial institutions for BSA compliance and refer significant\n              violations and deficiencies to the Department of the Treasury (the Treasury). The\n              FDIC and state regulatory agencies examine financial institutions for BSA\n              compliance in conjunction with safety and soundness examinations. DSC\n              personnel manually enter the results of BSA examinations, including the number\n              and type of violations and enforcements actions (if any), into the ViSION system.\n              To facilitate this process, DSC has established codes in the ViSION system that\n              correspond to specific types of BSA violations and enforcement actions. DSC\n              uses information in the ViSION system to report BSA examination information to\n              the Treasury.\n\n      2\n       Composite and component ratings are assigned on a scale of 1 to 5, with 1 representing the highest rating\n      and least degree of supervisory concern and 5 representing the lowest rating and greatest degree of\n      supervisory concern.\n\n\n                                                           2\n\x0c    \xe2\x80\xa2   Safety and Soundness ROEs. Users of the ViSION system can access ROEs\n        pertaining to FDIC-supervised financial institutions through a system component\n        called the ROE module. The ROE module links users of the ViSION system to a\n        separate standalone system called the Interagency Examination Repository (IER),\n        which is used by FDIC and state examiners to store and access electronic copies\n        of completed safety and soundness ROEs. FDIC and state examination personnel\n        enter ROEs into the IER using a combination of manual and automated processes.\n        DSC intended for the IER to promote efficiencies in the off-site monitoring of\n        financial institutions. However, as discussed later in this report, concerns\n        regarding the reliability of information in the IER require DSC to rely instead on\n        hard copy ROEs as the system of records for examinations.\n\n    \xe2\x80\xa2   ROE Processing Dates. Our audit focused on three ROE processing dates that\n        the FDIC uses to monitor examination frequency and determine deposit insurance\n        assessment rates for financial institutions. All three dates, which are manually\n        entered into the ViSION system by DSC personnel, are described below.\n\n             o Examination Start Date. The date that the FDIC examination team begins\n               the on-site examination. DSC uses this date (along with the examination\n               completion date described below) to monitor compliance with regulatory\n               requirements concerning the length of time between examinations.\n\n             o Examination Completion Date. The date that the FDIC examination team\n               completes the examination and submits the ROE for supervisory review.\n\n             o Examination Mail Date. The date that the federal or state regulatory\n               agency mails the completed ROE to the financial institution. DIR uses the\n               examination mail date (also referred to as the \xe2\x80\x9ctransmittal date\xe2\x80\x9d) to\n               determine when deposit insurance assessment pricing changes become\n               effective for financial institutions. 3\n\nThe FDIC has established a Data Stewardship Program 4 to enable the Corporation to,\namong other things, ensure the usefulness, accuracy, timeliness, and accessibility of\ncorporate data. Under the program, divisions and offices designate subject matter experts\n(SME) who are responsible for preserving the accuracy of data entered into application\nsystems and databases. Within DSC, personnel in the Technology Supervision Branch\nserve as SMEs for the ViSION system.\n\n\n\n\n3\n  FDIC Rules and Regulations Part 327.4, Assessment Rates, describes circumstances in which the effective\ndate for determining deposit insurance assessment pricing can be different than the examination mail date.\nSuch circumstances include, for example, situations in which the FDIC disagrees with a financial\ninstitution examination rating assigned by another regulatory agency and determines that a rating change is\nwarranted.\n4\n  FDIC Circular 1301.3, Data Stewardship Program, dated September 4, 2001.\n\n\n                                                     3\n\x0cAssessing the Reliability of Key Supervisory Information\n\n      We used the Government Accountability Office\xe2\x80\x99s (GAO) October 2002 publication\n      entitled, Assessing the Reliability of Computer-Processed Data, as the overarching\n      criteria for assessing the reliability of supervisory information accessed through the\n      ViSION system. The publication states that computer-processed data are reliable when\n      they are accurate (i.e., they reflect the data entered at the source or in the source\n      documents) and complete (i.e., they contain all relevant data elements and records).\n      Based on a random sample of 75 financial institutions for which the FDIC is the primary\n      federal regulator, we verified key supervisory information accessed through the ViSION\n      system to source documentation, such as hard copy safety and soundness ROEs.\n\n\nRESULTS OF AUDIT\n\n      Supervisory information accessed through the ViSION system pertaining to examination\n      ratings, BSA examinations, safety and soundness ROEs, and ROE processing dates was\n      not fully reliable for the 75 financial institutions that we sampled. Specifically,\n      examination ratings and BSA examinations were generally reliable, with some\n      exceptions. Safety and soundness ROEs were not reliable for 33 of the 75 institutions,\n      and ROE processing dates were not reliable for 10 of the 75 institutions. Unreliable\n      information accessed through the ViSION system can limit the efficiencies that the FDIC\n      intended to achieve through automation such as accurate, timely, and consistent data used\n      for off-site monitoring of financial institutions. In addition, because ROE processing\n      dates are used in determining deposit insurance assessments, the reliability of those dates\n      is critical to ensuring the integrity of premiums charged to insured financial institutions.\n      Unreliable ROE processing dates resulted in 1 of 75 sampled institutions being\n      significantly undercharged ($3,050, or about 10 percent) on one of its quarterly deposit\n      insurance assessments.\n\n\nASSESSMENT OF KEY SUPERVISORY INFORMATION ACCESSED THROUGH\nTHE VISION SYSTEM\n\n      As reflected in Table 1 below, supervisory information accessed through the ViSION\n      system pertaining to examination ratings, BSA examinations, safety and soundness\n      ROEs, and ROE processing dates was not fully reliable for the 75 financial institutions\n      that we sampled. Unreliable information accessed through the ViSION system can limit\n      the efficiencies, such as accurate, timely, and consistent data used for off-site monitoring\n      of financial institutions, that the FDIC intended to achieve through automation. In\n      addition, because ROE processing dates are used in determining deposit insurance\n      assessments, the reliability of those dates is critical to ensuring the integrity of premiums\n      charged to insured financial institutions.\n\n\n\n\n                                                    4\n\x0c      Table 1. Reliability of Key Supervisory Information for 75 Sampled Institutions\n            Institution                                       Safety and      ROE\n                               Examination        BSA\n        Information as of                                     Soundness Processing\n                                 Ratings      Examinations\n          May 28, 2008                                          ROEs          Dates\n             Reliable               73             73             42            65\n              Unreliable                    2                   2                  33                10\n          Total Institutions               75                   75                 75                75\n      Source: Office of Inspector General (OIG) analysis of information in the ViSION system, hard\n              copy ROEs, and discussions with DSC officials.\n\n\nExamination Ratings\n\n      DSC\xe2\x80\x99s Risk Management Examination Manual states that examination ratings are used\n      by regulators to evaluate the safety and soundness of financial institutions and to identify\n      those institutions requiring special supervisory attention or concern. In addition, FDIC\n      Circular 4700.1, Risk Related Premium System, dated June 7, 2007, states that\n      maintaining accurate and complete examination ratings in the ViSION system is\n      \xe2\x80\x9cextremely important\xe2\x80\x9d because the ratings are used in calculating deposit insurance\n      assessments for financial institutions. Due to erroneous data entry, the ViSION system\n      contained inaccurate component ratings for 2 of the 75 financial institutions that we\n      sampled. We brought these inaccuracies to the attention of DSC officials during our\n      audit, and the ratings were corrected in the ViSION system. The inaccurate ratings\n      resulted in a slight undercharge (less than $15.00) for one institution on its 4th quarter\n      2007 deposit insurance assessment.\n\n\nBSA Examinations\n\n      Under the terms of a Memorandum of Understanding between the Federal Banking\n      Agencies (FBA) 5 and the Treasury\xe2\x80\x99s Financial Crimes Enforcement Network (FinCEN),\n      the FDIC is required to report information to FinCEN on the BSA examinations the\n      Corporation conducts or reviews. Information typically reported includes, for example,\n      the number of BSA examinations conducted, the number and type of BSA violations\n      identified, and the type of BSA enforcement actions taken. DSC Regional Director\n      Memorandum 03-048, Bank Secrecy Act Examination Violations Codes, dated\n      October 20, 2003, states that information in the ViSION system is used to fulfill the\n      FDIC\xe2\x80\x99s obligation to report BSA violations to FinCEN. The ViSION system did not\n      contain all relevant BSA information for 2 of the 75 financial institutions that we\n      sampled. For one institution, the system did not contain a BSA violation cited in the\n      safety and soundness ROE because DSC had not developed a violation code to track the\n\n\n      5\n       The FBAs are the Board of Governors of the Federal Reserve System, the FDIC, the National Credit\n      Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision.\n\n\n                                                          5\n\x0c      specific type of violation cited. 6 As a result, DSC did not include this violation in its\n      BSA reporting to FinCEN. For the remaining institution, the ViSION system contained\n      some, but not all, pertinent BSA information due to an oversight. Specifically, the BSA\n      module in the ViSION system did not contain information regarding whether a BSA\n      examination had been conducted or whether BSA violations had been identified for that\n      institution.\n\n\nSafety and Soundness ROEs\n\n      DSC Regional Director Memorandum 03-023, Integrity of Data Stored in the Interagency\n      Examination Repository, dated July 1, 2003, emphasizes the importance of maintaining\n      reliable ROEs in the IER to facilitate the off-site analysis of financial institutions. (As\n      previously discussed, users of the ViSION system can access ROEs stored in the IER\n      through a link in the system called the ROE module.) ROEs were not accessible through\n      the ViSION system for 19 (25 percent) of the 75 financial institutions that we sampled.\n      In addition, 14 (25 percent) of the 56 ROEs that were accessible through the ViSION\n      system were draft versions of the final ROEs that did not reflect changes made during the\n      supervisory review process. 7 DSC officials informed us that they had identified data\n      reliability concerns with ROEs stored in the IER prior to our audit and attributed these\n      concerns to two principal factors:\n\n          \xe2\x80\xa2   Electronic ROEs Not Submitted by State Regulatory Agencies. Although\n              information on all state regulatory agencies was not available at the time of our\n              audit, a DSC official provided information indicating that 10 state regulatory\n              agencies do not upload electronic ROEs to the IER for the examinations they\n              conduct. In general, these regulators do not upload ROEs because of past\n              technical problems experienced with the IER. For example, in January 2008, the\n              FDIC advised state regulatory agencies to discontinue uploading ROEs to the IER\n              for 6 weeks to allow for the correction of a system configuration problem.\n              Thirteen of the 19 ROEs in our sample that were not accessible through the\n              ViSION system had been prepared by state regulatory agencies.\n\n          \xe2\x80\xa2   Controls Over the Collection, Processing, and Upload of Electronic ROEs.\n              DSC officials indicated that controls for collecting, processing, and uploading\n              ROEs to the IER do not ensure that final ROEs are entered into the system.\n              Current practices for collecting, processing, and uploading ROEs to the IER vary\n              among the FDIC\xe2\x80\x99s regional and field offices, involve multiple steps requiring\n              coordination among DSC and Division of Information Technology (DIT)\n              personnel, and are dependent on electronic ROE files being named properly.\n              DSC is currently working on a multi-year project to improve its processes and\n      6\n        The ROE states that the institution had not completed its Suspicious Activity Reports (SAR) correctly. A\n      DSC official advised us that although the ViSION system contains a BSA violation code for failure to file a\n      SAR, it does not contain a code for an incorrectly filed SAR because this type of violation is infrequently\n      cited by examiners.\n      7\n        Such changes included, for example, modifications of component ratings and financial ratios and the\n      addition of report sections or narrative describing examination results.\n\n\n                                                          6\n\x0c               technology for collecting, processing, and uploading ROEs to the IER. DSC\n               officials informed us that, when fully implemented, these control improvements\n               will significantly increase the reliability of ROE information in the IER.\n\n\nROE Processing Dates\n\n      The DSC Risk Management Manual of Examination Policies states that the examination\n      start date and examination completion date are used to monitor compliance with\n      regulatory requirements concerning the length of time between examinations. Circular\n      4700.1 states that it is \xe2\x80\x9cextremely important\xe2\x80\x9d for the examination mail date in the\n      ViSION system to be accurate and complete because the Risk Related Premium System\n      (RRPS) 8 uses this date to determine when deposit insurance assessment pricing changes\n      become effective for financial institutions. The ViSION system contained unreliable\n      ROE processing dates for 10 of the 75 financial institutions that we sampled.\n      Specifically, the system contained inaccurate examination start dates for two institutions,\n      an inaccurate examination completion date for one institution, and inaccurate or\n      incomplete mail dates for eight institutions.9 Generally, these dates were off by a range\n      of a few days to approximately 1 month. Unreliable ROE processing dates were\n      principally caused by erroneous data entry.\n\n      Unreliable examination start and completion dates did not negatively impact DSC\xe2\x80\x99s\n      examination schedules for the institutions we reviewed. However, unreliable\n      examination mail dates affected the accuracy of deposit insurance assessments for three\n      FDIC-insured financial institutions. One of the institutions was undercharged $3,050\n      (about 10 percent of the institution\xe2\x80\x99s fourth quarter 2007 deposit insurance assessment).\n      The monetary errors for the other two institutions were immaterial. Unreliable\n      examination mail dates had no effect on the deposit insurance assessments of the\n      remaining five institutions for two principal reasons: (1) the manner in which the FDIC\n      calculated insurance assessments prior to the implementation of deposit insurance reform\n      legislation differs from current practices and (2) examination ratings, which are a key\n      factor in determining assessments, were substantially the same between the prior and\n      current examinations for some of the institutions. See Appendix 2 for more detailed\n      information regarding how examination mail dates can affect deposit insurance\n      assessments for FDIC-insured financial institutions.\n\n\n\n\n      8\n        RRPS is the FDIC\xe2\x80\x99s system of record for assigning risk categories and deposit insurance assessment rates\n      to FDIC-insured financial institutions. RRPS is a module of the ViSION system.\n      9\n        One institution had both an inaccurate examination start and mail date. The examination start date for one\n      institution was inaccurate by 7 days and by 30 days for the remaining institution. The inaccurate\n      examination completion date was inaccurate by 3 days. The ViSION system did not contain an\n      examination mail date for three institutions, and the remaining five institutions had examination mail dates\n      that were inaccurate by 3 to 32 days.\n\n\n                                                           7\n\x0cStrengthening the Reliability of Key Supervisory Information\n\n      GAO\xe2\x80\x99s November 1999 publication entitled, Standards for Internal Control in the\n      Federal Government, identifies a number of internal control activities that organizations\n      can consider implementing to promote accurate and complete computer-processed data.\n      Such internal control activities include, for example, data edit checks, verifications, and\n      reconciliations. According to the publication, organizations should design and implement\n      internal control activities based on related costs and benefits. In this context,\n      organizations may, based on an assessment of risk, determine that data are reliable even\n      though they are not error free. Within the FDIC, the Division of Resolutions and\n      Receiverships (DRR) took such an approach when it established a formal Data Quality\n      Program in September 2005 to ensure \xe2\x80\x9chighly reliable and accurate data\xe2\x80\x9d within its\n      priority IT systems. 10 Under the program, critical data elements within DRR\xe2\x80\x99s priority IT\n      systems are considered reliable if they demonstrate an accuracy rate of 90 percent or\n      better based on data quality testing.\n\n      DSC has taken steps to promote the reliability of information accessed through the\n      ViSION system. Such steps include designating SMEs for the ViSION system and\n      periodically assessing the reliability of information accessed through the ViSION system\n      during the division\xe2\x80\x99s internal reviews. However, DSC can improve the reliability of\n      supervisory information accessed through the ViSION system by conducting an\n      assessment of such information to determine an acceptable data accuracy rate.\n      Establishing a data accuracy rate based on an assessment of relevant risks, costs, and\n      benefits can provide DSC a basis for designing and implementing controls over the\n      reliability of information accessed through the ViSION system that are efficient and\n      effective.\n\n\nRecommendation Related to ViSION System Information Reliability\n      We recommend that the Director, DSC, conduct an assessment of supervisory\n      information accessed through the ViSION system in order to define an acceptable\n      accuracy rate and define controls and responsibilities over the reliability of supervisory\n      information consistent with the results of the assessment.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\n      On September 16, 2008, the Director, DSC, provided a written response to the draft of this\n      report. Management\xe2\x80\x99s response is presented in its entirety in Appendix 3 of this report. In\n      its response, DSC concurred with the recommendation and outlined its planned corrective\n      actions.\n\n\n      10\n        DRR Circular 4360.14, Data Quality Program, dated October 30, 2005. The circular defines priority IT\n      systems as any manual or automated system maintained by DRR for the storage and retrieval of\n      information that is designated as such by the Deputy Director, DRR .\n\n\n                                                         8\n\x0cTo address the recommendation, DSC will conduct a risk-based assessment of\nsupervisory information accessed in ViSION to formalize acceptable data accuracy rates\nand to refine and clarify controls and responsibilities for monitoring data accuracy.\nThese actions will be completed by June 30, 2009.\n\nA summary of management\xe2\x80\x99s response to the recommendation is in Appendix 4 of this\nreport. DSC\xe2\x80\x99s planned actions are responsive to our recommendation. The\nrecommendation is resolved but will remain open until we determine that the agreed-to\ncorrective actions have been completed and are responsive.\n\n\n\n\n                                           9\n\x0c                                                                                  APPENDIX 1\n                           OBJECTIVE, SCOPE, AND METHODOLOGY\n\n\nObjective\n\n      The objective of the audit was to assess the reliability of key supervisory information\n      accessed through the ViSION system. We performed the work because supervisory\n      information accessible through the ViSION system is important to the success of the\n      FDIC\xe2\x80\x99s insurance and supervision programs. We conducted this performance audit from\n      March through August 2008 in accordance with generally accepted government auditing\n      standards. Those standards require that we plan and perform the audit to obtain\n      sufficient, appropriate evidence to provide a reasonable basis for our findings and\n      conclusions based on our audit objectives. We believe that the evidence obtained\n      provides a reasonable basis for our findings and conclusions based on our audit\n      objectives.\n\n\nScope and Methodology\n\n      We limited the scope of the audit to assessing the reliability of supervisory information\n      accessed through the ViSION system pertaining to examination ratings, BSA\n      examinations, safety and soundness ROEs, and ROE processing dates. We based our\n      assessment on a random sample of 75 (or 1.5 percent) of 5,075 financial institutions for\n      which the FDIC was the primary federal regulator on April 3, 2008. Examinations for 37\n      of the 75 financial institutions were conducted by state regulatory agencies, and\n      examinations for the remaining 38 institutions were conducted by the FDIC. The\n      examinations we reviewed were conducted during the period July 2006 through April\n      2008. We considered the information we assessed to be reliable if it was accurate and\n      complete as described in GAO\xe2\x80\x99s publication entitled, Assessing the Reliability of\n      Computer Processed Data.\n\n      To accomplish our objective, we:\n\n            \xe2\x80\xa2   Interviewed DSC and DIT officials in the FDIC\xe2\x80\x99s Washington, D.C., area offices\n                and selected regional and field offices to identify key supervisory information\n                accessed through the ViSION system and to obtain an understanding of how this\n                information is used to support the FDIC\xe2\x80\x99s supervision and insurance programs.\n\n            \xe2\x80\xa2   Assessed the reliability of key supervisory information accessible through the\n                ViSION system as of May 28, 2008. For each institution, we compared key\n                supervisory information to source documentation, such as hard copy ROEs, report\n                transmittal memorandums, and BSA data entry forms, for the institution\xe2\x80\x99s most\n                recently completed safety and soundness and BSA examinations. Additionally,\n                we considered relevant information obtained during interviews with DSC and DIT\n\n\n\n\n                                                   10\n\x0c                                                                                 APPENDIX 1\n\n\n              personnel, particularly when discrepancies were identified through our\n              comparisons.\n\n          \xe2\x80\xa2   Reviewed the results of relevant data quality assurance work conducted by DSC\xe2\x80\x99s\n              Internal Control and Review Section as part of its field territory and regional\n              office reviews.\n\n          \xe2\x80\xa2   Worked with a DIR representative to assess the effect that unreliable examination\n              ratings and ROE processing dates had on the deposit insurance assessments of the\n              financial institutions we sampled.\n\n          \xe2\x80\xa2   Reviewed relevant provisions of FDIC policies, procedures, and guidelines\n              including:\n\n                   o The DSC Risk Management Manual of Examination Policies, dated\n                     December 2004\n                   o The Case Manager Procedures Manual, dated April 2004\n                   o Circular 4700.1, Risk Related Premium System, dated June 6, 2007\n                   o Circular 1301.3, Data Stewardship Program, dated September 4, 2001\n                   o DSC Regional Director Memorandum 03-023, Integrity of Data in the\n                     Interagency Examination Repository, dated July 1, 2003\n                   o DSC Regional Director Memorandum 03-048, Bank Secrecy Act\n                     Examination Violation Codes, dated October 20, 2005\n                   o DSC Regional Director Memorandum 05-039, Relationship Manager\n                     Program Implementation, dated September 30, 2005\n                   o FDIC Financial Institution Letter (FIL) 90-2003, Deposit Insurance\n                     Assessments, dated November 28, 2003\n                   o FIL 90-2007, Examination Cycle, dated October 24, 2007\n                   o DRR Circular 4360.14, Data Quality Program, dated September 30, 2005\n\n\nInternal Control\n\n      We assessed the FDIC\xe2\x80\x99s internal controls designed to ensure the reliability of key\n      supervisory information accessed through the ViSION system. Such controls included\n      relevant FDIC policies, procedures, and guidelines; the role of SMEs in maintaining\n      reliable information in the ViSION system and IER; and DSC\xe2\x80\x99s practices for entering and\n      maintaining key supervisory information into the ViSION system and IER. Also, we\n      considered relevant data quality assurance work conducted by DSC\xe2\x80\x99s Internal Control\n      and Review Section as part of their field territory and regional office reviews.\n\n\n\n\n                                                  11\n\x0c                                                                                  APPENDIX 1\n\n\nReliance on Computer-processed Information\n\n      We relied on information in the ViSION system to identify the total number of examined\n      financial institutions for which the FDIC was the primary federal regulator as of April 3,\n      2008. We used this information as our universe in selecting a random sample of\n      75 financial institutions for detailed analysis. To assure ourselves that the total number\n      of FDIC-supervised institutions in the ViSION system was sufficiently reliable, we\n      compared this information to a listing of FDIC-supervised financial institutions in the\n      FDIC\xe2\x80\x99s Institution Directory system as of April 3, 2008 and to information included in\n      the FDIC\xe2\x80\x99s 2007 annual report to the Congress. Further, we spoke with DSC officials to\n      obtain their views on the integrity of the information and to discuss the manner in which\n      we were planning to use it. We performed tests of the reliability of ViSION data in order\n      to accomplish our audit objective.\n\n\nPerformance Measurement\n\n      We reviewed the FDIC\xe2\x80\x99s 2005-2010 Strategic Plan, 2008 Annual Performance Plan,\n      2008 Corporate Performance Objectives, and 2007 Annual Report and found that they\n      did not contain goals, objectives, or performance measures that were specifically relevant\n      to our audit.\n\n\nCompliance With Laws and Regulations\n\n      We considered the following laws and regulations in determining the supervisory\n      information to be assessed during the audit. Evaluation of compliance with these laws\n      and regulations was not significant to the audit objective.\n\n         \xe2\x80\xa2   Section 10(d) of the Federal Deposit Insurance Act (the FDI Act) \xe2\x80\x93 DSC uses\n             the examination start and complete dates recorded in the ViSION system to\n             schedule examinations in order to meet the examination frequency requirements\n             of this section.\n\n         \xe2\x80\xa2   31 Code of Federal Regulations (C.F.R.) Part 103, Section 103.56 \xe2\x80\x93 Section 31\n             C.F.R. 103.56(e) requires the FDIC to periodically provide specific violations of\n             31 C.F.R. 103 (BSA) as well as apparent violations of FDIC Rules and\n             Regulations Part 326, Subpart B, to the Assistant Secretary of the Treasury. DSC\n             relies on ViSION data to compile its report to the Treasury.\n\n         \xe2\x80\xa2   12 C.F.R. Part 327 \xe2\x80\x93 The FDIC relies on examination ratings and examination\n             mail dates in the ViSION system when computing deposit insurance assessments\n             to be charged to insured financial institutions.\n\n\n\n\n                                                  12\n\x0c                                                                                   APPENDIX 1\n\n\n      Additionally, we assessed the risk of fraud and abuse related to the audit objective in the\n      course of evaluating audit evidence.\n\n\nPrior Coverage\n\n      We considered the following reports previously issued by the FDIC OIG in planning and\n      conducting our work:\n\n         \xe2\x80\xa2   Audit Report No. 04-017, Supervisory Actions Taken for Bank Secrecy Act\n             Violations, dated March 2004. The objective of the audit was to determine\n             whether the FDIC adequately follows up on BSA violations identified during\n             examinations of FDIC-supervised financial institutions and ensures appropriate\n             corrective actions are taken. The audit report stated that the FDIC had not\n             ensured that all identified BSA violations were included and tracked in the\n             ViSION system. Accordingly, the FDIC had not ensured complete reporting to\n             the Treasury. The report recommended that the Director, DSC, re-evaluate and\n             update examination guidance to strengthen the monitoring and follow-up\n             processes for BSA violations, including consistent citation and recordation of all\n             apparent violations in safety and soundness ROEs and the ViSION system.\n\n         \xe2\x80\xa2   Audit Report No. 04-027, FDIC\xe2\x80\x99s Virtual Supervisory Information on the Net\n             Application, dated July 2004. The objective of the audit was to determine\n             whether controls over the ViSION system\xe2\x80\x99s operational components, including\n             modules implemented through Phase III, were adequate. The audit identified\n             some discrepancies between certain data in the ViSION system and hard copy\n             ROEs. The audit report recommended that the Director, DSC, establish a data\n             quality review process to periodically check for discrepancies between the\n             ViSION system and the ROE. DSC agreed to incorporate such data quality\n             reviews into its field territory reviews.\n\n\n\n\n                                                   13\n\x0c                                                     APPENDIX 2\n          ROLE OF EXAMINATION MAIL DATES IN CALCULATING\n                  DEPOSIT INSURANCE ASSESSMENTS\n\n\nOn November 2, 2006, the FDIC\xe2\x80\x99s Board of Directors adopted a final rule on deposit\ninsurance assessments as part of the implementation of the Federal Deposit Insurance\nReform Act of 2005. Under the rule, the FDIC charges insured financial institutions\nquarterly insurance assessments based on the risk that the institutions pose to the Deposit\nInsurance Fund. In general, the FDIC calculates an institution\xe2\x80\x99s quarterly insurance\nassessment by multiplying the institution\xe2\x80\x99s assessable base amount by its risk-based\nassessment rate. The assessable base amount is the sum of the institution\xe2\x80\x99s deposit\nliabilities (less permissible exclusions) derived from information contained in the\ninstitution\xe2\x80\x99s Report of Condition and Income (Call Report) or Thrift Financial Report\n(TFR). The risk-based assessment rate is a number expressed in basis points that is\nderived from the institution\xe2\x80\x99s risk assignment provided by the FDIC. An institution's risk\nassignment consists of four categories and is determined using various information, such\nas examination ratings, financial ratios from Call Reports and TFRs, and long-term debt\nissuer ratings for institutions that have them.\n\nAccording to FDIC Rules and Regulations Part 327, Assessments:\n\n       Changes to an institution\xe2\x80\x99s risk assignment resulting from a supervisory ratings\n       change become effective as of the date of written notification to the institution\n       [i.e., the examination mail date] by its primary federal regulator or state authority\n       of its supervisory rating (even when the CAMELS component ratings have not\n       been disclosed to the institution), if the FDIC, after taking into account other\n       information that could affect the rating, agrees with the rating. If the FDIC does\n       not agree, changes to an institution\xe2\x80\x99s risk assignment become effective as of the\n       date that the FDIC determines that a change in the supervisory rating is warranted.\n\nFDIC Circular 4700.1, Risk Related Premium System, dated June 6, 2007, states, \xe2\x80\x9cIt\ncontinues to be extremely important to maintain accurate and complete FDIC database\nrecords relating to the assignment of CAMELS ratings and the date those ratings were\ntransmitted to the institution. These records are used by RRPS to calculate the\nassessment rate.\xe2\x80\x9d The circular also states, \xe2\x80\x9ccase managers must now enter the date of the\ntransmittal letters completed by state authorities for State-only examinations in ViSION,\nas the transmittal date is the date pricing changes become effective.\xe2\x80\x9d\n\n\nOIG Analysis of Examination Mail Dates in the ViSION System\n\nThe ViSION system contained inaccurate or incomplete examination mail dates for 8 of\nthe 75 financial institutions we sampled. Table 2 on the following page provides a\nsummary of the unreliable examination mail dates we identified in the ViSION system.\n\n\n\n\n                                            14\n\x0c                                                                                             APPENDIX 2\n\n\nTable 2: Unreliable Examination Mail Dates in the ViSION System\n                 Agency         Examination       Examination Mail\n  Financial Performing the Mail Date in the        Date on the ROE\n Institution  Examination      ViSION System Transmittal Memo                                    Variance\n      A            State            Blank             8/25/2006                                    N/A\n      B            State            Blank             9/20/2006                                    N/A\n      C            State            Blank             11/3/2006                                    N/A\n      D            State          7/5/2007            6/19/2007                                   16 days\n      E            State          8/17/2007           7/16/2007                                   32 days\n      F           FDIC            9/21/2007           9/24/2007                                   3 days\n      G            State          12/6/2007           11/6/2007                                   30 days\n      H            State         12/18/2007           11/26/2007                                  22 days\nSource: OIG analysis of information in the ViSION system and hard copy transmittal memorandums.\n\nWe requested that a DIR analyst review the examination mail dates contained in Table 2\nto determine whether the unreliable data had an effect on deposit insurance premiums\ncharged by the Corporation. The analyst concluded that the three blank examination mail\ndates had no effect on deposit insurance premiums due to the manner in which the\nCorporation calculated assessments prior to the implementation of deposit insurance\nreform legislation. The analyst also concluded that inaccurate examination mail dates\nhad no effect on the deposit insurance premiums charged to institutions F and G because\nthe current examination ratings for these institutions were substantially the same as in the\nprior examinations. Further, the analyst concluded that inaccurate examination mail\ndates had at least some effect on the deposit insurance premiums for institutions D, E,\nand H because the current examination ratings for these institutions changed from the\nprior examinations. Based on information provided by the DIR analyst, we calculated the\neffect that inaccurate examination mail dates had on the premiums charged to institutions\nD, E, and H. Table 3 summarizes the results of our calculations.\n\nTable 3: Effects of Unreliable Examination Mail Dates on Insurance Assessments\n                            Percentage of Quarterly     Dollar Amount of\n  Financial Institution      Assessment that Was      Quarterly Assessment\n                                 Not Correct          That Was Not Correct\n            D                       0.06 %                     $6.00\n            E                       0.40 %                   ($94.00)*\n                H                              9.60 %                           ($3,050.00)\n             Total                              N/A                             ($3,138.00)\nSource: OIG analysis of information provided by DIR.\n*Parenthetical figures represent undercharges to financial institutions on their quarterly assessments.\n\n\n\n\n                                                     15\n\x0c                       APPENDIX 3\n\nCORPORATION COMMENTS\n\x0c                                                                                                       APPENDIX 4\n\n                    MANAGEMENT RESPONSE TO THE RECOMMENDATION\n\n\nThis table presents the management response on the recommendation in our report and the status of\nthe recommendation as of the date of report issuance.\n          Corrective Action Taken           Expected       Monetary      Resolved: a        Open or\n             or Planned for the            Completion      Benefits      Yes or No          Closed b\n              Recommendation                   Date\n     DSC will conduct a risk-based          6/30/2009           N/A          Yes             Open\n     assessment of the supervisory\n     information accessed in ViSION to\n     formalize acceptable data accuracy\n     rates and to refine and clarify\n     controls and responsibilities for\n     monitoring data accuracy.\n\n\na\n    Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned, ongoing, and completed\n                    corrective action is consistent with the recommendation.\n              (2) Management does not concur with the recommendation, but alternative action meets the intent\n                   of the recommendation.\n              (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary\n                   benefits are considered resolved as long as management provides an amount.\nb\n  Once the OIG determines that the agreed-upon corrective actions have been completed and are responsive to the\nrecommendations, the recommendations can be closed.\n\n\n\n\n                                                           17\n\x0c                                                                    APPENDIX 5\n\n           ACRONYMS USED IN THE REPORT\n\n\nBSA      Bank Secrecy Act\nCAMELS   Capital Adequacy, Asset Quality, Management, Earnings, Liquidity,\n         Sensitivity to Market Risk\nC.F.R.   Code of Federal Regulations\nDIR      Division of Insurance and Research\nDIT      Division of Information Technology\nDRR      Division of Resolutions and Receiverships\nDSC      Division of Supervision and Consumer Protection\nFBA      Federal Banking Agency\nFDI      Federal Deposit Insurance\nFIL      Financial Institution Letter\nFinCEN   Financial Crimes Enforcement Network\nGAO      Government Accountability Office\nIER      Interagency Examination Repository\nIT       Information Technology\nOIG      Office of Inspector General\nOMB      Office of Management and Budget\nROE      Report of Examination\nRRPS     Risk Related Premium System\nSAR      Suspicious Activity Report\nSME      Subject Matter Expert\nTFR      Thrift Financial Report\nViSION   Virtual Supervisory Information on the Net\n\n\n\n\n                                18\n\x0c"